Russian security firm Kaspersky today released new research that adds another piece to the puzzle of a hacker group whose operations appear to stretch back further than researchers previously realized.
Research published last week from the security firm Malwarebytes shed new light on a hacking group, Red Stinger, that has been carrying out espionage operations against both pro-Ukraine victims in central Ukraine and pro-Russia victims in eastern Ukraine. The findings were intriguing because of the ideological mix of the targets and the lack of connections to other known hacking groups. A few weeks before Malwarebytes released its report, Kaspersky had also published research about the group, which it calls Bad Magic, and similarly concluded that the malware used in the attacks didn't have connections to any other known hacking tools. The research Kaspersky released today finally links the group to past activity and provides some preliminary context for understanding the attackers' possible motivations.
Adding the Malwarebytes research to what they had found independently, Kaspersky researchers reviewed historic telemetry data to look for connections. Eventually, they discovered that some of the cloud infrastructure and malware the group was using had similarities to espionage campaigns in Ukraine that the security company ESET identified in 2016, as well as campaigns the firm CyberX discovered in 2017.
“Malwarebytes found out more about the initial infection stage, and then they found more about the installer” used in some of the group's attacks since 2020, says Georgy Kucherin, a Kaspersky malware researcher. “After publishing our report about the malware, we decided to view historical data about similar campaigns that have similar targets and that have occurred in the past. That’s how we discovered the two similar campaigns from ESET and CyberX, and we concluded with medium to high confidence that the campaigns are tied together and they are all likely to be executed by the same actor.”
The different activity through time has similar victimology, meaning the group focused on the same types of targets, including both officials working for pro-Russia factions within Ukraine and Ukrainian government officials, politicians, and institutions. Kucherin also notes that he and his colleagues found similarities and multiple overlaps in the code of the plugins used by the group's malware. Some code even appeared to be copied and pasted from one campaign to the next. And the researchers saw similar use of cloud storage and characteristic file formats on the files the group exported to their servers.
The Malwarebytes research published last week documented five campaigns since 2020 by the hacking group, including one that targeted a member of Ukraine's military who works on Ukrainian critical infrastructure. Another campaign targeted pro-Russia election officials in eastern Ukraine, an adviser to Russia's Central Election Commission, and one who works on transportation in the region.
Back in 2016, ESET wrote of the activity it called “Operation Groundbait”: “The main point that sets Operation Groundbait apart from the other attacks is that it has mostly been targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics. While the attackers seem to be more interested in separatists and the self-declared governments in eastern Ukrainian war zones, there have also been a large number of other targets, including, among others, Ukrainian government officials, politicians, and journalists.”